From: Pat.McAnally@sungard.com Sent: Thursday, October 30, 2003 5:20 PM To: rule-comments@sec.gov Subject: File No. S7-17-03 Comments on behalf of SunGard Data Systems |-----------+-------------------------------------------------------------------| | DATE: | October 30, 2003 | |-----------+-------------------------------------------------------------------| | TO: | | | | SEC: Jonathan G. Katz, Secretary, Securities and Exchange | | | Commission, File No S7-17-03 | |-----------+-------------------------------------------------------------------| | FROM: | SunGard Data Systems | |-----------+-------------------------------------------------------------------| | SUBJECT: |Comments on SEC Policy Statement: Business Continuity Planning for | | |Trading Markets | |-----------+-------------------------------------------------------------------| Introduction SunGard Data Systems Inc. ("SunGard") is providing comments to the Securities and Exchange Commission ("Commission") on the draft policy statement pertaining to business continuity for trading markets (the "Policy Statement" Ref: Exchange Act Release No. 48545 (September 25, 2003). 68 Fed. Reg. 56656 (October 1, 2003.) This response reflects SunGard's perspective as a provider of information availability services through SunGard Availability Services, a provider of systems and services supporting trading markets through SunGard's Investment Support Systems division, and as the owner of an electronic communications network ("ECN") ? the Brut ECN System ? which would be subject to the Policy Statement. SunGard supports the efforts of the Commission and other financial regulators to strengthen the resilience of the financial sector. We welcome the clear guidelines and definitive goals set by the SEC for self-regulated trading markets ("SRO Markets") and ECNs. The objective is to both manage systemic risk and to foster individual investor confidence in the resiliency of the markets in which an ever-increasing amount of their personal wealth is invested. There has been an increasing emphasis on the role of technology and infrastructure in evaluating operational risk, as well as a recognition that executives must focus on ensuring information availability. The definition of best practices changed with the issuance of the joint federal agency white paper which set new standards of compliance, established stratification of organizations by degree of importance to systemic risk and set recovery/resumption performance thresholds by segment. Key Points We would like to share our concerns about three specific areas of this Policy Statement for trading markets. First, the focus of the Commission's efforts remains widespread regional disasters, such as experienced on September 11th. These types of outages present great risk to the stability of the markets. Thus, the Commission is rightly exploring every recovery option available to market participants. However, we are concerned that too much focus on highly publicized regional disasters will cause the adoption of continuity strategies that ignore the more probable types of production interruptions and that will prove detrimental to an organization's viability. Second, in Section I of the Policy Statement, the authors indicate that Commission staff has been exploring the possibility of mutual back-up arrangements, commonly known in the business continuity industry as reciprocal arrangements. With more than 25 years experience in addressing disaster recovery and business continuity planning, SunGard has repeatedly encountered the following problems with reciprocal arrangements: · In general, reciprocal arrangements are a poor substitute for continuity solutions specifically developed for a firm. Reciprocal plans often involve two firms that are normally competitors and who are not in the business of providing continuity services to third parties. As such, these arrangements are notoriously hard to invoke for mundane incidents such as hardware or software outages, cyber disruption such as denial of service attacks, and power failures. · Reciprocal agreements underestimate the operational uniqueness of each participating firm, creating implementation difficulties upon activation. Typically, they are provisioned for data only and neglect the logistics of the human element. While the NASDAQ is a purely electronic exchange, at this time, the NYSE still uses open outcry and trading specialists, requiring different operational considerations due to the human element of the business. If the NYSE relies on NASDAQ in a reciprocal arrangement, workspace is likely to be in short supply for NYSE traders. · In addition, reciprocal arrangements are difficult to maintain over time, as technology obsolescence and disparate business objectives contribute to ever-widening non-compatibility unless the two companies agree to be lock-step in platform and software acquisition. · Often there is not sufficient or clear contractual language and commercial accountability between firms engaging in reciprocal arrangements, causing the risk of performance failure and degradation of performance. Absent detailed service level agreements ("SLAs") as to backup strategy, software and hardware compatibility, audit rights, security provisions, and key provisions regarding tiered recovery and restoration, there is very little to substantiate the strength of a continuity plan or who bears responsibility in the event of its failure. · Provision for capacity to handle the combined load and provide for additional market volume would need special scrutiny. According to the GAO report (Ref: GAO-03-414 GAO Report to the Committee on Financial Services, House of Representatives, Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants, February 2003), the regional exchanges may not have the capacity to handle the volume of NYSE trades (about 1.4 billion trades a day -- ref: Trading without NYSE Specialists, Leslie Wines, Wall Street, October 7th, 2003..) Reciprocal partners would have to provision for network connectivity, storage and processor capacity for more than the 100% peak load of each participant. The continuity plan must assume that prior volume records for the affected ECNs and SROs would be broken on the first day of resumption of trading after an outage and that a new record in order flow would be set at the opening of the market following the disaster. As businesses learned post 9/11, this must be addressed ahead of time, as provisioning at time of disaster does not work because resources cannot be readily obtained. · Reciprocal agreements are generally not testable since the testing process is likely to interfere with production availability. Due to the market risk, the Commission will require that any solution chosen must be testable. · Connectivity to each other's supply chain counter-parties must be in place prior to any disaster due to long lead times for implementing network lines. · Finally, market participants must consider the continuing natural concentration of market participants in New York City and other financial centers. While it is true that one can trade almost any share of any company on an ECN, if a number of ECNs or SROs are in the same concentrated area, then reciprocal arrangements within the same area do not eliminate the risk. SunGard agrees with the Commission regarding the requirement for geographic diversity. In summary, SunGard recommends against reciprocal arrangements since they represent a contingency strategy that drives a different kind of business behavior introducing high-risk variables difficult to identify and test. There are also competitive considerations: an effective strategy must never introduce the risk of decreasing service to one's existing customers while giving aid to another set of customers. The third issue we would like to highlight is the timing requirements for various segments of the trading industry. We believe the proposed guidelines for trading markets are reasonable and appropriate, but we are concerned about the lack of explicit recommendations for broker dealers. In the Policy Statement, the Commission noted "the number of sole members or subscribers of the market" (ref: Policy Statement 56657) as an important risk factor in determining to what continuity standard a financial market participant should be held. While the Commission properly notes that many trading operations are users of multiple SRO markets and ECNs, this is not true at the individual investor level because many investors are heavily reliant on one firm for trade-execution and other financial services. Since a primary goal of the Policy Statement is to promote overall investor confidence in market resiliency in the event of a wide-scale disruption, establishment of clear standards for brokers should be a priority. According to the final version of the joint federal agency white paper, organizations involved in core or significant portions of clearing and settling must recover and resume within 4 hours. The next logical demarcation is the establishment of the Recovery Time Objective (RTO) of less than 24 hours (next business day) for SRO trading markets, ECNs and shared systems such as market data feeds. The additional time exposes more cost effective solutions, allowing for the orderly restoration of applications and staging of workspaces for staff. In all likelihood, this RTO will still require high availability solutions for data (electronic vaulting/mirroring.) Network bandwidth issues, timing of provisioning and implementation of additional capacity and routing will also require disciplined execution in light of the tight time window. Communications with significant third parties must be preplanned, not just primary to alternate site, but alternate to alternate as intended by the Securities Industry Association Phase I and II test protocol. As they did for Y2K, trading markets and ECNs who utilize third party vendors must verify their contingency preparations. All organizations who have not yet delineated their recovery/resumption strategies, or who have not begun rigorous testing of them, will need to begin immediately in order to meet the end of 2004 deadline. However, the Commission stops short of a firm guideline for the remainder of securities firms, believing that the competitive nature of the industry will pressure them to adopt similar resumption benchmarks. In the previously cited GAO Report, the SEC noted that broker dealers are required to be able to ensure that any completed trades are cleared and settled and that customers have access to the funds and securities in their accounts as soon as is physically possible. While it is true that overall operational resilience is a true competitive advantage, many securities firms cannot currently reach a next-business-day resumption standard. As straight-through-processing initiatives proceed, and the reliance on technology increases, brokers need to understand what risks they are taking in not adopting best practices. Regulatory and supervisory expectations play a key part in driving awareness of the need for a more disciplined approach. Without it, smaller companies may find it difficult to garner executive support and adequate budget and thus may not achieve adequate levels of preparedness. There are commercial, cost-effective solutions available to help brokers meet explicit timeframes. The Northeast power outage of August 2003 presented a useful illustration of how companies can cope effectively, even with widespread disruptions. SunGard supported 66 customers who declared disasters and another 166 who put us on alert. Over the course of the outage, SunGard hosted approximately 1,000 customer personnel at eight of its recovery facilities. We operated five of those facilities on diesel power and prepared over 2,200 contingency work positions with market data feeds in addition to large numbers of servers and many complex network systems for potential disaster declarations by our customers. Coupled with well-thought-out strategies, our redundant infrastructure enabled many financial services companies to accomplish their trading objectives in an orderly and timely fashion. In 2002, both the NYSE and the National Association of Securities Dealers (NASD) began the process of accepting comments on business continuity and information security guidelines for their respective members. We urge the Commission to work with the NASD and NYSE to accelerate these initiatives. Lastly, we urge the Commission to highlight the need for public company reporting on business continuity and information security status and risk mitigation, similar to the SEC requirement for Y2K preparedness. Tom Ridge has publicly raised this issue and tied it to Homeland Security initiatives. Similar legislation is being discussed by the House Government Reform Subcommittee on Technology and Information Policy. The more attention paid to protecting critical information systems, the more secure the financial infrastructure will become. Conclusion Much has changed in the continuity industry since the attacks of September 11th, 2001. The focus of financial institutions has been increased attention on identifying and mitigating exposures and deploying appropriate information availability strategies. However, there is an opportunity to further improve the ability of the financial markets to withstand future disruptions by setting clear guidelines for all participants. According to a Harris Interactive research poll conducted in July, 2003, on average, Fortune 1000 executives give their company a grade of "C+" when it comes to the ability to access business-critical information quickly after a disaster. (Ref: Harris Interactive Market Research poll, Disaster Preparedness and Information Availability in Post 9/11 Corporate America, July 2003.) SunGard commends the SEC on its efforts to improve the resilience of US financial markets and offers this commentary to facilitate ongoing industry discussions. About SunGard SunGard is a global leader in integrated IT solutions for financial services. SunGard is also the pioneer and leading provider of information availability services. SunGard serves more than 20,000 clients in over 50 countries, including 47 of the world's 50 largest financial services companies. SunGard (NYSE:SDS - News) is a member of the S&P 500 and has annual revenues of more than $2 billion. Visit SunGard at www.sungard.com.